In 2023, a quarter (25.6%) of incidents originated with a known vulnerability, according to the Arctic Wolf Labs 2024 Threat Report. And while zero-day vulnerabilities only accounted for a tiny percentage of incidents in 2023, two of them — the MOVEit Transfer Vulnerability and the GoAnywhereMFT Vulnerability — wreaked havoc around the globe.
The fact is that, for all the concern about phishing, insider threats, and other sophisticated tactics, when it comes to unlocking those first doors during a cyber attack, it’s vulnerabilities that threat actors continually turn to, and there’s plenty to choose from. There were 29,000 vulnerabilities published in 2023, and over half of them, an increase of 57% YoY, were given a CVSS score indicating high or critical severity.
This prominent threat can affect organizations of all sizes and industries, so it’s critical that businesses understand vulnerabilities and how to implement a vulnerability management program that, more than just eliminating vulnerabilities as they arise, works through a risk-based paradigm to continually harden the attack surface.
Why Are Vulnerabilities Persistently Used in Cyber Attacks?
As noted above, vulnerabilities aren’t just prevalent, they’re almost ubiquitous. As Arctic Wolf’s frequent security bulletins and the ever-expanding list of CVEs every year shows, the risk of new vulnerabilities that can be exploited is increasing. These vulnerabilities can not only grant instant access for threat actors, they can allow them to execute actions while going undetected, as often the actions appear legitimate.
Take the MOVEit transfer vulnerability. It allowed threat actors to execute commands remotely and escalate privileges. For the Cl0P ransomware group, this vulnerability allowed them to quickly execute hundreds of ransomware attacks, with 169 observed within a month of the zero-day exploitation.
This single attack highlights how devastating vulnerabilities can be. Another reason they are so heavily favored by threat actors is because cybercriminals know that organizations often lack the manpower, resources, and expertise to properly patch and remediate vulnerabilities within their organization. From knowing which vulnerabilities exist to how to assess their risk to how to remediate them in a timely manner, organizations’ cybersecurity teams are often at a loss, and threat actors are all too eager to take advantage.
Learn more about why vulnerabilities are so persistent.
Vulnerabilities aren’t going anywhere, so organizations must implement measures to harden their attack surface, mitigate known vulnerabilities, and ensure those potential avenues for cyber attacks are cut off. Of course, that’s easier said than done for a multitude of reasons, but vulnerability management is the blueprint for how organizations can achieve this lofty goal and stop the onslaught of vulnerability exploitations.
What Is Vulnerability Management?
Vulnerability management refers to the ongoing process undertaken by an organization to identify, assess, and remediate vulnerabilities within their environment.
Vulnerability management contains four main components, all four of which are often happening in parallel to stay on top of new vulnerabilities that may appear in the environment:
- Scanning
- Assessment
- Patch management
- Remediation
It’s important to note that vulnerabilities are not the same as risks, nor are they the same as threats.
If a threat actor has potential to exploit a vulnerability, that is a threat. The risk is hypothetical damage that would occur if the threat were carried out and the vulnerability is exploited. The terms are connected, but not synonymous.
The Vulnerability Management Life Cycle
Vulnerability management follows a standard life cycle, which consists of four stages:
- Discover. This phase involves a comprehensive inventory of assets and applications within the environment which contain known vulnerabilities.
- Assess. In this phase, the known vulnerabilities are investigated and ranked based on urgency, risk, and more. It’s often impossible to remediate every single vulnerability, so this stage is critical in terms of risk reduction and risk acceptance.
- Harden. This is the phase where vulnerability remediation, patching, and mitigation occurs.
- Validate. In this phase, the organization will verify that the vulnerabilities have been remediated through rescanning and reassessing. This phase will also involve monitoring of the assets and applications.
Explore the importance of asset discovery and classification with our on-demand webinar.
What Is Risk-Based Vulnerability Management?
Risk-based vulnerability management is a form of vulnerability management where the decisions made in each stage of the above life cycle are determined by internal and external risk factors.
Every organization is different and has unique business and security goals that could be in flux, which impacts how they approach and execute vulnerability management.
Vulnerabilities fit into four categories — network, operating system, process, and human — and are classified based on the severity of their potential threat. However, just because a vulnerability is classified as critical does not mean it’s critical for a given organization to remediate it. Vulnerability management depends on internal factors, not just outside classifications.
Risk-based vulnerability management takes in that risk and then uses that information to inform how vulnerabilities are remediated, patched, mitigated, or in some cases, ignored through a certain level of risk acceptance.
For example, Arctic Wolf identified 30 of the most exploited vulnerabilities in 2023. These vulnerabilities vary in criticality and rating, but were chosen most frequently by threat actors, which informs how risky they could be to a given organization. However, an organization may not contain all 30 or may deem some as low risk. It’s a subjective process that should be continually evaluated.
Another example would be looking at the most dangerous types of vulnerabilities, which are seen repeatedly in exploits and subsequent cyber attacks.
They are:
- Remote Code Execution
- Hardcoded Credentials
- Denial of Service
- Directory Traversal
- Privilege Escalation
All five of these vulnerability executions can be leveraged together at different stages of an incident to further the attack and lead to a full-fledged breach.
These groupings are based on threat intelligence, which should be a key source of information your organization uses to evaluate risk and make vulnerability-based decisions.
Learn more about threat intelligence.
Benefits of a Risk-Based Vulnerability Management Program
Approaching vulnerability management this way, with risk as the main deciding factor, can have multiple benefits for an organization.
- It reduces the effort and time required for remediation and patching, as certain vulnerabilities may be left alone while others will be attended to first
- It allows security teams to map out how they will harden their attack surface over time
- It improves the decision-making process by taking in multiple sources of information (threat intelligence, business goals, current risk levels) allowing for more precise vulnerability management
- It allows for broader visibility, assessment, and attack surface management as every component is weighed in the decision-making and action process
Risk-based vulnerability management is an evolution of traditional vulnerability management that is more suitable for an in-flux modern environment. It allows organizations to look at vulnerability management as part of a whole proactive security strategy, instead of an isolated “find and remediate” process.
How To Implement a Risk-Based Vulnerability Management Program
Before embarking on a vulnerability management program, there are four questions an organization should ask itself:
- Which vulnerabilities should be remediated first?
- How can those vulnerabilities be remediated efficiently and effectively?
- How does my organization prioritize those vulnerabilities based on resources and risk tolerance?
- How should realistic deadlines be set?
The answers to these questions will create guidelines your organization can follow every time new vulnerabilities appear, or your security team conducts assessments. Of course, asking these questions is easier than answering them, and easier still than dedicating the time, resources, and expertise to the actions needed.
The fact is, vulnerability management is an ongoing process that will improve with time, and every implementation and outcome depend on your organizations’ resources, business risk, and expertise. No two outcomes are the same.
The Value of Partnering with a Third-Party for Vulnerability Management
Proactive security is vital to an organization’s overall security posture and defenses. But too many organizations find themselves stuck in a cycle of reacting to immediate threats due to a lack of resources, budget, expertise, and more. Additionally, many organizations are digitizing and adopting cloud-based applications, which only complicates their environment and introduces new risks. While building out a risk-based vulnerability management plan is essential, doing so alone may be impossible.
Additionally, using tools alone, like scanners, could help with one part of the management life cycle, but burden strained staff in others as they now have too many alerts and information to sort through and act on.
Arctic Wolf® Managed Risk takes a holistic approach, combining industry-leading tooling with the human support of the Arctic Wolf® Security Teams to help organizations discover, assess, and harden their environment by contextualizing the attack surface coverage across network, endpoint, and cloud environments.
Learn more about how Arctic Wolf Managed Risk can help your organization rethink vulnerability management.
Understand how proactive security can transform your organization’s security posture.
